1.

Security and Compliance has identified secure third-party applications that should have
access to Google Workspace data. You need to restrict third-party access to only approved
applications
What two actions should you take? (Choose two.)

A. Whitelist Trusted Apps

B. Disable the Drive SDK
C. Restrict API scopes
D. Disable add-ons for Gmail
E. Whitelist Google Workspace Marketplace apps

Answer: A,C

2. Your company has an OU that contains your sales team and an OU that contains your
market research team. The sales team is often a target of mass email from legitimate senders,
which is distracting to their job duties. The market research team also receives that email
content, but they want it because it often contains interesting market analysis or competitive
intelligence. Constant Contact is often used as the source of these messages. Your company
also uses Constant Contact for your own mass email marketing. You need to set email controls
at the Sales OU without affecting your own outgoing email or the market research OU.
What should you do?

A. Create a blocked senders list as the Sales OU that contains the mass email sender
addresses, but bypass this setting for Constant Contact emails.
B. Create a blocked senders list at the root level, and then an approved senders list at the
Market Research OU, both containing the mass email sender addresses.
C. Create a blocked senders list at the Sales OU that contains the mass email sender
addresses.
D. Create an approved senders list at the Market Research OU that contains the mass email
sender addresses.
Answer: C

3. Your organization syncs directory data from Active Directory to Google Workspace via
Google Cloud Directory Sync. Users and Groups are updated from Active Directory on an hourly
basis. A user's last name and primary email address have to be changed. You need to update
the user’s data.
What two actions should you take? (Choose two.)
A. Add the user's old email address to their account in the Google Workspace Admin panel.
B. Change the user's primary email address in the Google Workspace Admin panel.
C. Change the user's last name in the Google Workspace Admin panel.
D. Change the user's primary email in Active Directory.
E. Change the user's last name in Active Directory.
Answer: D,E

4. Your Chief Information Security Officer is concerned about phishing. You implemented 2
Factor Authentication and forced hardware keys as a best practice to prevent such attacks. The
CISO is curious as to how many such email phishing attempts you've avoided since putting the
2FA+Hardware Keys in place last month.
Where do you find the information your CISO is interested in seeing?

A. Security > Advanced Security Settings > Phishing Attempts

B. Apps > Google Workspace > Gmail > Phishing Attempts
C. Security > Dashboard > Spam Filter: Phishing
D. Reporting > Reports > Phishing
Answer: C

5. Your company recently decided to use a cloud-based ticketing system for your customer
care needs. You are tasked with rerouting email coming into your customer care address,
customercare@your-company.com to the cloud platform’s email address, yourcompany@
cloudprovider.com. As a security measure, you have mail forwarding disabled at the
domain level.
What should you do?

A. Create a mail contact in the Google Workspace directory that has an email address of
yourcompany@cloudprovider.com
B. Create a rule to forward mail in the customercare@your-company.com mailbox to
yourcompany@cloudprovider.com
C. Create a recipient map in the Google Workspace Admin console that maps
customercare@your-company.com to your-company@cloudprovider.com
D. Create a content compliance rule in the Google Workspace Admin console to change route
to your- company@cloudprovider.com
Answer: C

6. Your organization does not allow users to share externally. The security team has recently
approved an exemption for specific members of the marketing team and sales to share
documents with external customers, prospects, and partners.
How best would you achieve this?
A. Create a configuration group with the approved users as members, and use it to create a
target audience.
B. Enable external sharing for the marketing and sales organizational units.
C. Enable external sharing only to allowlisted domains provided by marketing and sales teams.
D. Create a configuration group with the approved users as members, and enable external
sharing for this group.
Answer: D

7. As a team manager, you need to create a vacation calendar that your team members can
use to share their time off. You want to use the calendar to visualize online status for team
members, especially if multiple individuals are on vacation What should you do to create this
calendar?

A. Request the creation of a calendar resource, configure the calendar to “Auto-accept

invitations that do not conflict,” and give your team “See all event details” access.

B. Create a secondary calendar under your account, and give your team “Make changes to
events” access.

C. Request the creation of a calendar resource, configure the calendar to “Automatically add all
invitations to this calendar,” and give your team “See only free/busy” access.

D. Create a secondary calendar under your account, and give your team “See only free/busy”
access.

Answer : C

8. After making a recent migration to Google Workspace, you updated your Google Cloud
Directory Sync configuration tos ynchronize the global address list. Users are now seeing
duplicate contacts in theirglobal directory in Google Workspace. You need to resolve this
issue.What should you do?
A.Train users to use Google Workspace's merge contacts feature.
B.Enable directory contact deduplication in the GoogleWorkspaceAdmin panel.
C.Update shared contact search rules to exclude internal users.
D.Create a new global directory, and delete the original.
Answer : C
9.Your company policy requires that managers be provided access to Drivedata once an
employee leaves the company. How should you grant this access?

A.Make the manager a delegate to the former employee's account.

B.Copy the data from the former employee's My Drive tothemanager'sMyDrive.
C.Transfer ownership of all Drive data using the file transfer ownership tool in the Google
Workspace Admin console.
D.Login as the user and add the manager to the file permissions using the''Is owner' privilege
for all Drive files.
Answer : C

10. The CEO of your company heard about new security and collaboration features and wants
to know how to stay up to date.You are responsible for testing and staying up to date with new
features,and have been asked to prepare a presentation for management.What should you do?

A.Download the Google Workspace roadmap, and work together with a deployment specialist
for newfeatures.
B.Create a support ticket for the Google Workspace roadmap,andaskto enable the latest
release of Google Workspace.
C.Subscribe to the Google Workspace release calendar, and Join the Google Cloud Connect
Community.
D.Change Google Workspace release track to: RapidReleaseforfasteraccess to new features.

Answer: C

11. Your company recently acquired an organization that was not leveraging Google
Workspace. Your company is currently using Google Cloud Directory Sync (GCDS) to sync from
an LDAP directory into Google Workspace. You want to deploy a second instance of GCDS and
apply the same strategy with the newly acquired organization, which also has its users in an
LDAP directory. How should you change your GCDS instance to ensure that the setup is
successful? (Choose two.)

A. Provide your current GCDS instance with admin credentials to the recently acquired
organization's LDAP directory.

B. Add an LDAP sync rule to your current GCDS instance in order to synchronize new users.

C. Set up exclusion rules to ensure that users synced from the acquired organization's LDAP are
not, suspended.

D. Set up an additional instance of GCDS running on another server, and handle the acquired
organization's synchronization.
E. Upgrade to the multiple LDAP version of GCDS.

Answer : A,D

12. A user reached out to the IT department about a Google Group that they
own: info@company.com. The group is receiving mail, and each message is also delivered
directly to the user's Gmail inbox. The user wants to be able to reply to messages directly from
Gmail and have them sent on behalf of the group, not their individual account. Currently, their
replies come from their individual account. What would you instruct the user to do?

A. Create a new content compliance rule that matches the user's outgoing messages with the
group copied, and have it modify the sender to be the group address.

B. Add the group as an email address that can be sent from within Gmail, and verify that the
user has access. They can then choose to reply from the group.

C. Add the user's individual account as a delegate to the group's inbox. They can then toggle
between the accounts and use the Gmail interface on behalf of the group.

D. Set the group address to be the default sender within the group's posting policies.

Answer : C

13. Your organization recently deployed Google Workspace. Your admin team has been very
focused on configuring the core services for your environment, which has left you little time to
pay attention to other areas. Your security team has just informed you that many users are
leveraging unauthorized add-ons, and they are concerned about data exfiltration. The admin
team wants you to cut off all add-ons access to Workspace data immediately and block all
future add-ons until further notice. However, they approve of users leveraging their Workspace
accounts to sign into third-party sites. What should you do?

A. Modify your Marketplace Settings to block users from installing any app from the
Marketplace.

B. Set all API services to “restricted access” and ensure that all connected apps have limited
access.

C. Remove all client IDs and scopes from the list of domain-wide delegation API clients.

D. Block each connected app's access.

Answer : C

14. Your organization has just completed migrating users to Workspace. Many employees are
concerned about their legacy Microsoft Office documents, including issues of access, editing,
and viewing. Which two practices should you use to alleviate user concerns without limiting
Workspace collaboration features? (Choose two.)

A. Configure Context-Aware Access policies to block access to Microsoft Office applications.

B. Demonstrate the ability to convert Office documents to native Google file format from Drive.

C. Demonstrate and train users to use the Workspace Migrate tool.

D. Deliver training sessions that show the methods to access and edit native Office files in Drive,
the Workspace file editors, and Drive for Desktop.

E. Continue to use installed Office applications along with Google Drive for Desktop.

Answer : A,D

15. Your organization is using Password Sync to sync passwords from Active Directory to Google
Workspace. A user changed their network password and cannot log in to Google Workspace
with the new password. What steps should you take to troubleshoot this issue?

A. Reinstall Password Sync on all domain controllers.

B. Reauthorize the Password Sync tool in the Google Workspace Admin Console.

C. Confirm that the Password Sync service is running on all domain controllers.

D. Reset the user's password in Active Directory.

Answer : B

16. Your sales team, which is organized as its own organizational unit, is prone to receiving
malicious attachments. What action should you take, as an administrator, to apply an additional
layer of protection in the admin console for your sales team without disrupting business
operation?
A. Configure an attachment compliance rule to send any emails with attachments received by
users within the sales team organizational unit to an administrator quarantine.

B. Configure an attachment compliance rule to strip any attachments received by users within
the sales team organizational unit.

C. Configure the security sandbox feature on the sales team organizational unit.

D. Update the Email Allowlist in the admin console to only include IP addresses of known
senders.

Answer : B

17. As a Workspace Administrator, you want to keep an inventory of the computers and mobile
devices your company owns in order to track details such as device type and who the device is
assigned to. How should you add the devices to the company-owned inventory?

A. Download the company owned inventory template CSV file from the admin panel, enter the
serial number of the devices, and upload it back to the company owned inventory in the admin
panel.

B. Download the company owned inventory template CSV file from the admin panel, enter the
Device OS, serial number and upload it back to the company owned inventory in the admin
panel.

C. Download the company owned inventory template CSV file from the admin panel, enter the
asset tag of the devices, and upload it back to the company owned inventory in the admin
panel.

D. Download the company owned inventory template CSV file from the admin panel, enter the
Device OS, asset tag and upload it back to the company owned inventory in the admin panel.

Answer : A

18. When reloading Gmail in Chrome, the web browser returns a 500 Error. As part of the
troubleshooting process, Google support asks you to gather logs. How can this be
accomplished?

A. Chrome > Window Context Menu > More Tools > Developer Tools > Network Tab > Reload
the page to replicate the error > “Export HAR”
B. Admin.google.com > Reporting > Reports > Apps Reports > Gmail

C. chrome://net-export > Start Logging to Disk > Confirm validity with https://netlog-
viewer.appspot.com

D. Chrome > Window Context Menu > More Tools > Task Manager > Screen Capture List of
Running Processes

Answer : A

19. Your company is using Google Workspace Business Standard. The company has five meeting
rooms that are all registered as resources in Google Workspace and used on a daily basis by the
employees when organizing meetings. The office layout was changed last weekend, and one of
the meeting rooms is now a dedicated room for management. The CEO is complaining that
anyone can book the room and requested this room to be used only by the management team
and their executive assistants (EAs). No one else must be allowed to book it via Google
Calendar. What should you do?

A. As a super administrator, modify the room calendar sharing settings, and limit it to the
management and EAs group.

B. Delete the room from Google Workspace resources, and suggest using a spreadsheet shared
with the management and EAs only for the room schedule.

C. As a super administrator, create a group calendar named “Management Room,” and share it
only with the management and the EAs.

D. Move the room resource to the management and EAs group so that only they can use it.

Answer : C

20. You act as the Google Workspace Administrator for a company that has just acquired
another organization. The acquired company will be migrated into your Workspace
environment in 6 months. Management has asked you to ensure that the Google Workspace
users you currently manage can efficiently access rich contact information in Workspace for all
users. This needs to occur before the migration, and optimally without additional expenditure.
What step do you take to populate contact information for all users?

A. Bulk-upload the contact information for these users via CSV into the Google Directory.

B. Use the Domain Shared Contacts API to upload contact information for the acquired
company's users.
C. Provision and license Google Workspace accounts for the acquired company's users because
they will need accounts in the future.

D. Prepare an uploadable file to be distributed to your end users that allows them to add the
acquired company’s user contact information to their personal contacts.

Answer : D

21. Your organization is about to expand by acquiring two companies, both of which are using
Google Workspace. The CISO has mandated that strict ‘No external content sharing’ policies
must be in place and followed. How should you securely configure sharing policies to satisfy
both the CISO’s mandate while allowing external sharing with the newly acquired companies?

A. Allow external sharing of Drive content for the IT group only.

B. Create a Drive DLP policy that will allow sharing to only domains on an allowlist.

C. Use shared drives to store the content, and share only individual files externally.

D. Let users share files between the two companies by using the ‘Trusted Domains’ feature.
Create an allowlist of the trusted domains, and choose sharing settings for the users.

Answer : D

22. Your company is using Google Workspace Enterprise Plus, and the Human Resources (HR)
department is asking for access to Work Insights to analyze adoption of Google Workspace for
all company employees. You assigned a custom role with the work Insights permission set as
“view data for all teams” to the HR group, but it is reporting an error when accessing the
application. What should you do?

A. Allocate the “view data for all teams” permission to all employees of the company.

B. Confirm that the Work Insights app is turned ON for all employees.

C. Confirm in Security > API controls > App Access Controls that Work Insights API is set to
“unrestricted.”

D. Confirm in Reports > BigQuery Export that the job is enabled.

Answer : C
23. As the Workspace Administrator, you have been asked to configure Google Cloud Directory
Sync (GCDS) in order to manage Google Group memberships from an internal LDAP server.
However, multiple Google Groups must have their memberships managed manually. When you
run the GCDS sync, you notice that these manually managed groups are being deleted. What
should you do to prevent these groups from being deleted?

A. In the GCDS configuration manager, update the group deletion policy setting to “don't delete
Google groups not found in LDAP.”

B. Use the Directory API to check and update the group’s membership after the GCDS sync is
completed.

C. Confirm that the base DN for the group email address attribute matches the base DN for the
user email address attribute.

D. In the user attribute settings of the GCDS configuration manager options, set the Google
domain users deletion/suspension policy to “delete only active Google domain users not found
in LDAP.”

Answer : A

24. Your marketing department needs an easy way for users to share items more appropriately.
They want to easily link-share Drive files within the marketing department, without sharing
them with your entire company. What should you do to fulfil this request? (Choose two.)

A. Create a shared drive that's shared internally organization-wide.

B. Update Drive sharing for the marketing department to restrict to internal.

C. Create a shared drive for internal marketing use.

D. Update the link sharing default to the marketing team when creating a document.

E. In the admin panel Drive settings, create a target audience that has all of marketing as
members.

Answer : B,E
25. Your company has a broad, granular IT administration team, and you are in charge of
ensuring proper administrative control. One of those teams, the security team, requires access
to the Security Investigation Tool. What should you do?

A. Assign the pre-built security admin role to the security team members.

B. Create a Custom Admin Role with the Security Center privileges, and then assign the role to
each of the security team members.

C. Assign the Super Admin Role to the security team members.

D. Create a Custom Admin Role with the security settings privilege, and then assign the role to
each of the security team members.

Answer : B

26. Your organization has a new security requirement around data exfiltration on iOS devices.
You have a requirement to prevent users from copying content from a Google app (Gmail,
Drive, Docs, Sheets, and Slides) in their work account to a Google app in their personal account
or a third-party app. What steps should you take from the admin panel to prevent users from
copying data from work to non-work apps on iOS devices?

A. Navigate to “Data Protection” setting in Google Admin Console's Device management

section and disable the “Allow users to copy data to personal apps” checkbox.

B. Disable “Open Docs in Unmanaged Apps” setting in Google Admin Console’s Device
management section.

C. Navigate to Devices > Mobile and endpoints > Universal Settings > General and turn on Basic
Mobile Management.

D. Clear the “Allow items created with managed apps to open in unmanaged apps” checkbox.

Answer : A

27. Your organization recently implemented context-aware access policies for Google Drive to
allow users to access Drive only from corporate managed desktops. Unfortunately, some users
can still access Drive from non-corporate managed machines. What preliminary checks should
you perform to find out why the Context-Aware Access policy is not working as intended?
(Choose two.)
A. Confirm that the user has a Google Workspace Enterprise Plus license.

B. Delete and recreate a new Context-Aware Access device policy.

C. Check whether device policy application is installed on users’ devices.

D. Confirm that the user has at least a Google Workspace Business license.

E. Check whether Endpoint Verification is installed on users’ desktops.

Answer : C,E

28. Your organization has enabled spoofing protection against unauthenticated domains. You
are receiving complaints that email from multiple partners is not being received. While
investigating this issue, you find that emails are all being sent to quarantine due to the
configured safety setting. What should be the next step to allow uses to review these emails
and reduce the internal complaints while keeping your environment secure?

A. Add your partner domains IPs to the Inbound Gateway setting.

B. Change the spoofing protection to deliver the emails to spam instead of quarantining them.

C. Add your partner sending IP addresses to an allowlist.

D. Change the spoofing protection to deliver the emails to inboxes with a custom warning
instead of quarantining them

Answer : D

29. As the Workspace Administrator, you have been asked to delete a temporary Google
Workspace user account in the marketing department. This user has created Drive documents
in My Documents that the marketing manager wants to keep after the user is gone and
removed from Workspace. The data should be visible only to the marketing manager. As the
Workspace Administrator, what should you do to preserve this user's Drive data?

A. In the user deletion process, select “Transfer” in the data in other apps section and add the
manager's email address.

B. Use Google Vault to set a retention period on the OU where the users reside.
C. Before deleting the user, add the user to the marketing shared drive as a contributor and
move the documents into the new location.

D. Ask the user to create a folder under MyDrive, move the documents to be shared, and then
share that folder with the marketing team manager.

Answer : C

30. As a Google Workspace administrator for your organization, you are tasked with controlling
which third-party apps can access Google Workspace data. Before implementing controls, as a
first step in this process, you want to review all the third-party apps that have been authorized
to access Workspace data. What should you do?

A. Open Admin Console > Security > API Controls > App Access Control > Manage Third Party
App Access.

B. Open Admin Console > Security > API Controls > App Access Control > Manage Google
Services.

C. Open Admin Console > Security > Less Secure Apps.

D. Open Admin Console > Security > API Controls > App Access Control > Settings.

Answer : A

31. organization wants more visibility into actions taken by Google staff related to your data for
audit and security reasons. They are specifically interested in understanding the actions
performed by Google support staff with regard to the support cases you have opened with
Google. What should you do to gain more visibility?

A. From Google Admin Panel, go to Audit, and select Access Transparency Logs.

B. From Google Admin Panel, go to Audit, and select Login Audit Log.

C. From Google Admin Panel, go to Audit, and select Rules Audit Log.

D. From Google Admin Panel, go to Audit, and select Admin Audit Log.

Answer : D
32. Your organization recently had a sophisticated malware attack that was propagated through
embedded macros in email attachments. As a Workspace administrator, you want to provide an
additional layer of anti-malware protection over the conventional malware protection that is
built into Gmail. What should you do to protect your users from future unknown malware in
email attachments?

A. Run queries in Security Investigation Tool.

B. Turn on advanced phishing and malware protection.

C. Enable Security Sandbox.

D. Enable Gmail confidential mode.

Answer : B

33. Your organization's information security team has asked you to determine and remediate if
a user (user1@example.com) has shared any sensitive documents outside of your organization.
How would you audit access to documents that the user shared inappropriately?

A. Open Security Investigation Tool-> Drive Log Events. Add two conditions: Visibility Is External,
and Actor Is user1@example.com.

B. Have the super administrator use the Security API to audit Drive access.

C. As a super administrator, change the access on externally shared Drive files manually
under user1@example.com.

D. Open Security Dashboard-> File Exposure Report-> Export to Sheet, and filter
for user1@example.com.

Answer : C

34. A user is reporting that external, inbound messages from known senders are repeatedly
being incorrectly classified as spam. What steps should the admin take to prevent this behavior
in the future?

A. Modify the SPF record for your internal domain to include the IPs of the external user's mail
servers.
B. Update the spam settings in the Admin Console to be less aggressive.

C. Add the sender's domain to an allowlist via approved senders in the Admin Console.

D. Instruct the user to add the senders to their contacts.

Answer : A

35. credentials of several individuals within your organization have recently been stolen. Using
the Google Workspace login logs, you have determined that in several cases, the stolen
credentials have been used in countries other than the ones your organization works in. What
else can you do to increase your organization's defense-in-depth strategy?

A. Implement an IP block on the malicious user's IPs under Security Settings in the Admin
Console.

B. Use Context-Aware Access to deny access to Google services from geo locations other than
the ones your organization operates in.

C. Enforce higher complexity passwords by rolling it out to the affected users.

D. Use Mobile device management geo-fencing to prevent malicious actors from using these
stolen credentials.

Answer : B

36. You are the Workspace administrator for an international organization with Enterprise Plus
Workspace licensing. A third of your employees are located in the United States, another third
in Europe, and the other third geographically dispersed around the world. European employees
are required to have their data stored in Europe. The current OU structure for your organization
is organized by business unit, with no attention to user location. How do you configure
Workspace for the fastest end user experience while also ensuring that European user data is
contained in Europe?

A. Configure a data region at the top level OU of your organization, and set the value to
“Europe”.

B. Add three additional OU structures to designate location within the current OU structure.
Assign the corresponding data region to each.
C. Configure a configuration group for European users, and set the data region to “Europe”.

D. Configure three configuration groups within your domain. Assign the appropriate data
regions to each corresponding group, but assign no preference to the users outside of the
United States and Europe.

Answer : A

37. As a team manager, you need to create a vacation calendar that your team members can
use to share their time off. You want to use the calendar to visualize online status for team
members, especially if multiple individuals are on vacation What should you do to create this
calendar?

A. Request the creation of a calendar resource, configure the calendar to “Auto-accept

invitations that do not conflict,” and give your team “See all event details” access.

B. Create a secondary calendar under your account, and give your team “Make changes to
events” access.

C. Request the creation of a calendar resource, configure the calendar to “Automatically add all
invitations to this calendar,” and give your team “See only free/busy” access.

D. Create a secondary calendar under your account, and give your team “See only free/busy”
access.

Answer : C

38. Your Finance team has to share quarterly financial reports in Sheets with an external
auditor. The external company is not a Workspace customer and allows employees to access
public sites such as Gmail and Facebook. How can you provide the ability to securely share
content to collaborators that do not have a Google Workspace or consumer (Gmail) account?

A. Allow external sharing with the auditor using the ‘Trusted Domains’ feature.

B. Enable the ‘Visitor Sharing’ feature, and demonstrate it to the Finance team.

C. Use the ‘Publish’ feature in the Sheets editor to share the contents externally.

D. Attach the Sheet file to an email message, and send to the external auditor.
Answer : D

39. Your organization has noticed several incidents of accidental oversharing inside the
organization. Specifically, several users have shared sensitive Google Drive items with the entire
organization by clicking ‘anyone in this group with this link can view’. You have been asked by
senior management to help users share more appropriately and also to prevent accidental
oversharing to the entire organization. How would you best accomplish this?

A. Create groups, add users accordingly, and educate users on how to share to specific groups
of people.

B. Disable sharing to the entire organization so that users must consciously add every person
who needs access.

C. Determine sharing boundaries for users that work with sensitive information, and then
implement target audiences.

D. Temporarily disable the Google Drive service for individuals who continually overshare.

Answer : B

40. You are a Workspace Administrator with a mix of Business Starter and Standard Licenses for
your users. A Business Starter User in your domain mentions that they are running out of Drive
Storage Quota. Without deleting data from Drive, what two actions can you take to alleviate
the quota concerns for this user? (Choose two.)

A. Add other users as “Editors” on the Drive object, thus spreading the storage quota debt
between all of them.

B. Manually export and back up the data locally, and delete the affected files from Drive to
alleviate the debt.

C. Make another user the “Owner” of the Drive objects, thus transferring the storage quota
debt to them.

D. Perform an API query for large storage drive objects, and delete them, thus alleviating the
quota debt.

E. Move the affected items to a Shared Drive. Shared Drives transfer ownership of the drive
item to the domain itself, which alleviates the quota debt from that user.
Answer : D,E

41. Your organization is preparing to deploy Workspace and will continue using your company’s
existing identity provider for authentication and single sign-on (SSO). In order to migrate data
from an external system, you were required to provision each user’s account in advance. Your
IT team and select users (~5% of the organization) have been using Workspace for configuration
and testing purposes. The remainder of the organization can technically access their accounts
now, but the IT team wants to block their access until the migrations are complete. What
should your organization do?

A. Remove Google Workspace license to prevent users from accessing their accounts now.

B. Suspend users that the organization does not wish to have access.

C. Add the users to the OU with all services disabled.

D. Use Context-Aware Access to simultaneously block access to all services for all users and
allow access to all services for the allowed users.

Answer : B

42. Your company has acquired a new company in Japan and wants to add all employees of the
acquisition to your existing Google Workspace domain. The new company will retain its original
domain for email addresses and, due to the very sensitive nature of its work, the new
employees should not be visible in the global directory. However, they should be visible within
each company's separate directory. What should you do to meet these requirements?

A. Create a new Google Workspace domain isolated from the existing one, and create users in
the new domain instead.

B. Under Directory Settings > Contact sharing, disable the contact sharing option and wait for
24 hours to allow the settings to propagate before creating the new employee accounts.

C. Redesign your OU organization to have 2 child OUs for each company directly under the root.
In Directory Settings > Visibility Settings, define custom directories for each company, and set
up Visibility according to the OU.

D. Create one dynamic group for each company based on a custom attribute defining the
company. In Directory Settings > Visibility Settings, define custom directories for each company,
and set up Visibility according to the dynamic group.
Answer : C

43. You are in the middle of migrating email from on-premises Microsoft Exchange to Google
Workspace. Users that you have already migrated are complaining of messages from internal
users going into spam folders. What should you do to ensure that internal messages do not go
into Gmail spam while blocking spoofing attempts?

A. Train users to click on Not Spam button for emails.

B. Add all users of your domain to an approved sender list.

C. Force TLS for your domain.

D. Ensure that your inbound gateway is configured with all of your Exchange server IP
addresses.

Answer : B

44. A user is reporting that after they sign in to Gmail, their labels are not loading and buttons
are not responsive. What action should you take to troubleshoot this issue with the user?

A. Collect full message headers for examination.

B. Check whether the issue occurs when the user authenticates on a different device or a new
incognito window.

C. Check whether a ping test to service.gmail.com (pop.gmail.com or imap.gmail.com) is

successful.

D. Check whether traceroute to service.gmail.com (pop.gmail.com or imap.gmail.com) is

successful.

Answer : A

45. A retail company has high employee turnover due to the cyclical nature in the consumer
space. The increase in leaked confidential content has created the need for a specific
administrative role to monitor ongoing employee security investigations. What step should you
take to increase the visibility of such investigations?

A. Assign the ‘Services Admin’ role to an administrator with ‘Super Admin’ privileges.
B. Create a ‘Custom Role’ and add all the Google Vault privileges for a new administrator.

C. Validate that the new administrator has access to Google Vault.

D. Create a ‘Custom Role’ and add the ability to manage Google Vault matters, holds, searches,
and exports.

Answer : D

46. A subset of users from the finance and human resources (HR) teams need to share
documents with an external vendor. However, external content sharing is prohibited for the
entire finance team. What would be the most secure method to enable external sharing for this
set of users?

A. Download and attach the documents to a Gmail message, and send them to the external
vendor.

B. Move all users from the finance org unit to the HR org unit.

C. Enable ‘Visitor Sharing’ for the entire finance org unit.

D. Create a group with the finance and HR users who need to share externally.

Answer : D

47. As the newly hired Admin in charge of Google Workspace, you learn that the organization
has been using Google Workspace for months and has configured several security rules for
accessing Google Drive. A week after you start your role, users start to complain that they
cannot access Google Drive anymore from one satellite office and that they receive an error
message that “a company policy is blocking access to this app.” The users have no issue with
Gmail or Google Calendar. While investigating, you learn that both this office's Internet Service
Provider (ISP) and the global IP address when accessing the internet were changed over the
weekend. What is the most logical reason for this issue?

A. An access level was defined based on the IP range and applied to Google Drive via Context-
Aware Access.

B. Under Drive and Docs > Sharing Settings, the “Whitelisted domains” list needs to be updated
to add the new ISP domain.
C. The Network Mask defined in Security > Settings > SSO with 3rd Party IdPs should be updated
to reflect the new IP range.

D. You need to raise a ticket to Google Cloud Support to have your new IP ranges registered for
Drive API access.

Answer : A

48. An end user informs you that they are having issues receiving mail from a specific sender
that is external to your organization. You believe the issue may be caused by the external
entity’s SPF record being incorrectly configured. Which troubleshooting step allows you to
examine the full message headers for the offending message to determine why the messages
are not being delivered?

A. Use the Postmaster Tools API to pull the message headers.

B. Use the Email Log Search to directly review the message headers.

C. Use the Security Investigation Tool to review the message headers.

D. Perform an SPF record check on the domain to determine whether their SPF record is valid.

Answer : D

49. You have been asked to support an investigation that your litigation team is conducting. The
current default retention policy for mail is 180 days, and there are no custom mail retention
policies in place. The litigation team has identified a user who is central to the investigation,
and they want to investigate the mail data related to this user without the user's awareness.
What two actions should you take? (Choose two.)

A. Move the user to their own Organization Unit, and set a custom retention policy.

B. Create a hold on the user's mailbox in Google Vault.

C. Reset the user's password, and share the new password with the litigation team.

D. Copy the user's data to a secondary account.

E. Create a matter using Google Vault, and share the matter with the litigation team members.
Answer : B,E

50. A recent legal investigation requires all emails and Google Drive documents from a specific
user to be retrieved. As the administrator, how can you fulfill the legal team's request?

A. Use Security Investigation Tool to Search Google Drive events for all of the user's documents,
and use Google Admin > Reports > Email Log Search to find their emails.

B. Search Google Drive for all of the user’s documents, and ask them to forward all of their
emails.

C. Use the Gmail API and Google Drive API to automatically collect and export data.

D. Utilize Google Vault to hold, search, and export data of interest.

Answer : A

What steps does an administrator need to take to enforce TLS with a particular domain?

A. Enable email safety features with the receiving domain.

B. Set up secure transport compliance with the receiving domain.

C. Configure an alternate secure route with the receiving domain.

D. Set up DKIM authentication with the receiving domain.

Answer : B

51. Your company’s Google Workspace primary domain is “mycompany.com,” and it has
acquired a startup that is using another cloud provider with a domain named “mystartup.com.”
You plan to add all employees from the startup to your Google Workspace domain while
preserving their current mail addresses. The startup CEO's email address
is andrea@mystartup.com, which also matches your company CEO's email address
as andrea@mycompany.com, even though they are different people. Each must keep the usage
of their email. In addition, your manager asked to have all existing security policies applied for
the new employees without any duplication. What should you do to implement the migration?
A. Create a secondary domain, mystartup.com, within your current Google Workspace domain,
set up necessary DNS records, and create all startup employees with the secondary domain as
their primary email addresses.

B. Create an alias domain, mystartup.com, in your existing Google Workspace domain, set up
necessary DNS records, and create all startup employees with the alias domain as their primary
email addresses.

C. Create a new Google Workspace domain with “mystartup.com,” and create a trust between
both domains for reusing the same security policies and sharing employee information within
the companies.

D. Create the startup employees in the “mycompany.com’ domain, and add a number at the
end of the user name whenever there is a conflict. In Gmail > Routing, define a specific route
for the OU that targets the startup employees, which will modify the email address domain to
“mystartup.com,” and remove any numbers previously added. In addition, confirm that the SPF
and DKIM records are properly set.

Answer : D